Closed
Description
Description
The following code:
<?php
namespace Foo {
class Bar {
function Foo($bar) {
var_dump($bar);
}
function baz() { }
}
}
namespace {
function foo($baz) {
var_dump(strrev($baz));
}
(new \Foo\Bar)->Foo("test");
foo("test");
}
spl_autoload_register(function($class) {
if ($class === 'A') {
class A {
public function method(B $x) {}
}
} else if ($class == 'B') {
class B extends A {
public function method(C $x) {}
}
} else {
class C extends B {
}
}
});
$b = new B;
$c = new C;
?>Resulted in this output:
==1977146==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000dbc at pc 0x55687f67b8a5 bp 0x7fff6e410180 sp 0x7fff6e410170
READ of size 4 at 0x603000000dbc thread T0
#0 0x55687f67b8a4 in zend_hash_num_elements /php-src/Zend/zend_hash.h:309
#1 0x55687f6885c6 in phpdbg_print_class_name /php-src/sapi/phpdbg/phpdbg_info.c:379
#2 0x55687f68988f in phpdbg_do_info_classes /php-src/sapi/phpdbg/phpdbg_info.c:410
#3 0x55687f6983a1 in phpdbg_internal_stack_execute /php-src/sapi/phpdbg/phpdbg_cmd.c:702
#4 0x55687f6987e3 in phpdbg_stack_execute /php-src/sapi/phpdbg/phpdbg_cmd.c:732
#5 0x55687f62cece in phpdbg_interactive /php-src/sapi/phpdbg/phpdbg_prompt.c:1547
#6 0x55687f5e69b8 in main /php-src/sapi/phpdbg/phpdbg.c:1610
#7 0x7f0f27278d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#8 0x7f0f27278e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#9 0x55687ce068d4 in _start (/php-src/sapi/phpdbg/phpdbg+0x32068d4)
0x603000000dbc is located 4 bytes to the left of 32-byte region [0x603000000dc0,0x603000000de0)
allocated by thread T0 here:
#0 0x7f0f27f77887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55687eb67b73 in __zend_malloc /php-src/Zend/zend_alloc.c:3280
#2 0x55687f57092a in zend_string_alloc /php-src/Zend/zend_string.h:176
#3 0x55687f570c7c in zend_string_init /php-src/Zend/zend_string.h:198
#4 0x55687f572c05 in zend_interned_strings_init /php-src/Zend/zend_string.c:114
#5 0x55687f5c3bf9 in zend_startup /php-src/Zend/zend.c:1042
#6 0x55687e6d8975 in php_module_startup /php-src/main/main.c:2144
#7 0x55687f5de8f7 in php_sapi_phpdbg_module_startup /php-src/sapi/phpdbg/phpdbg.c:705
#8 0x55687f5e3ace in main /php-src/sapi/phpdbg/phpdbg.c:1358
#9 0x7f0f27278d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /php-src/Zend/zend_hash.h:309 in zend_hash_num_elements
Shadow bytes around the buggy address:
0x0c067fff8160: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8170: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff8180: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff8190: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff81a0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
=>0x0c067fff81b0: fa fa 00 00 00 00 fa[fa]00 00 00 00 fa fa 00 00
0x0c067fff81c0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff81d0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff81e0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff81f0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8200: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1977146==ABORTING
To reproduce:
phpdbg ./test.php
> i classes
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04